NACM: Improved error message when no username included, and added username

2024-04-14 11:26:11 +02:00 · 2024-04-14 11:26:11 +02:00 · 1be158b7be
commit 1be158b7be
parent 87e49ca37a
4 changed files with 18 additions and 8 deletions
--- a/apps/backend/backend_client.c
+++ b/apps/backend/backend_client.c
@ -1805,7 +1805,7 @@ from_client_msg(clixon_handle        h,
            goto done;
        if (ret == 0){ /* Do NACM RPC validation */
            creds = clicon_nacm_credentials(h);
-            if ((ret = verify_nacm_user(h, creds, ce->ce_username, username, cbret)) < 0)
+            if ((ret = verify_nacm_user(h, creds, ce->ce_username, username, rpc, cbret)) < 0)
                goto done;
            if (ret == 0){ /* credentials fail */
                ce->ce_out_rpc_errors++;
--- a/apps/cli/cli_common.c
+++ b/apps/cli/cli_common.c
@ -1908,9 +1908,10 @@ cli_process_control(clixon_handle h,
        clixon_err(OE_UNIX, errno, "cbuf_new");
        goto done;
    }
-    cprintf(cb, "<rpc xmlns=\"%s\"", NETCONF_BASE_NAMESPACE);
-    cprintf(cb, " %s", NETCONF_MESSAGE_ID_ATTR);
-    cprintf(cb, ">");
+    cprintf(cb, "<rpc xmlns=\"%s\" username=\"%s\" %s>",
+            NETCONF_BASE_NAMESPACE,
+            clicon_username_get(h),
+            NETCONF_MESSAGE_ID_ATTR);
    cprintf(cb, "<process-control xmlns=\"%s\">", CLIXON_LIB_NS);
    cprintf(cb, "<name>%s</name>", name);
    cprintf(cb, "<operation>%s</operation>", opstr);
--- a/lib/clixon/clixon_nacm.h
+++ b/lib/clixon/clixon_nacm.h
@ -63,6 +63,6 @@ int nacm_datanode_write(clixon_handle h, cxobj *xr, cxobj *xt,
                        enum nacm_access access,
                        char *username, cxobj *xnacm, cbuf *cbret);
 int nacm_access_pre(clixon_handle h, char *peername, char *username, cxobj **xnacmp);
-int verify_nacm_user(clixon_handle h, enum nacm_credentials_t cred, char *peername, char *nacmname, cbuf *cbret);
+int verify_nacm_user(clixon_handle h, enum nacm_credentials_t cred, char *peername, char *nacmname, char *rpcname, cbuf *cbret);

 #endif /* _CLIXON_NACM_H */
--- a/lib/src/clixon_nacm.c
+++ b/lib/src/clixon_nacm.c
@ -1099,6 +1099,7 @@ nacm_datanode_read(clixon_handle h,
 * @param[in]  h        Clixon handle
 * @param[in]  xnacm    NACM XML tree, root should be "nacm"
 * @param[in]  username User name of requestor
+ * @param[in]  peername Peer username if any
 * @retval     1        OK permitted. You do not need to do next NACM step
 * @retval     0        OK but not validated. Need to do NACM step using xnacm
 * @retval    -1        Error
@ -1193,6 +1194,7 @@ nacm_access_check(clixon_handle h,
 * If retval=0 continue with next NACM step, eg rpc, module, 
 * etc. If retval = 1 access is OK and skip next NACM step.
 * @param[in]  h        Clixon handle
+ * @param[in]  peername Peer username if any
 * @param[in]  username User name of requestor
 * @param[out] xncam    NACM XML tree, set if retval=0. Free after use
 * @retval     1        OK permitted. You do not need to do next NACM step.
@ -1272,12 +1274,13 @@ nacm_access_pre(clixon_handle  h,
    goto done;
 }

-/*! Verify nacm user with  peer uid credentials
+/*! Verify nacm user with peer uid credentials
 *
 * @param[in]  h         Clixon handle
 * @param[in]  mode      Peer credential mode: none, exact or except
 * @param[in]  peername  Peer username if any
- * @param[in]  username  username received in XML (eg for NACM)
+ * @param[in]  nacmname  username received in XML (eg for NACM)
+ * @param[in]  rpcname   Name of incoming rpc
 * @param[out] cbret     Set with netconf error message if ret == 0
 * @retval     1         Verified
 * @retval     0         Not verified (cbret set)
@ -1297,6 +1300,7 @@ verify_nacm_user(clixon_handle           h,
                 enum nacm_credentials_t cred,
                 char                   *peername,
                 char                   *nacmname,
+                 char                   *rpcname,
                 cbuf                   *cbret)
 {
    int   retval = -1;
@ -1313,7 +1317,12 @@ verify_nacm_user(clixon_handle           h,
        goto fail;
    }
    if (nacmname == NULL){
-        if (netconf_access_denied(cbret, "application", "No NACM available") < 0)
+        if ((cbmsg = cbuf_new()) == NULL){
+            clixon_err(OE_UNIX, errno, "cbuf_new");
+            goto done;
+        }
+        cprintf(cbmsg, "No NACM username attribute present in incoming RPC: \"%s\"", rpcname);
+        if (netconf_access_denied(cbret, "application", cbuf_get(cbmsg)) < 0)
            goto done;
        goto fail;
    }